VYPR
Moderate severityNVD Advisory· Published May 20, 2026· Updated May 20, 2026

Setup PHP: Command Injection in Repository-Derived PHP Version Resolution

CVE-2026-46420

Description

Summary

A command injection vulnerability was identified in shivammathur/setup-php when the action resolves the PHP version from repository-controlled files and uses that value while generating the platform setup script.

In affected versions, setup-php may read the PHP version from:

  • .php-version
  • composer.lock via platform-overrides.php
  • composer.json via config.platform.php

If an attacker can influence one of these files and the workflow executes setup-php in a trusted context, they may be able to execute commands on the GitHub Actions runner.

Impact

This issue is exploitable when setup-php is run after checking out attacker-controlled repository contents and resolves the PHP version from repository files.

The most significant example is a privileged workflow such as pull_request_target that checks out untrusted pull request code before invoking setup-php. Similar risk can also arise in other workflows that operate on attacker-controlled refs, branches, or repository contents in a trusted context.

This is not a separate security boundary when an attacker can already modify the workflow definition itself or directly control the php-version workflow input, since that level of access already permits arbitrary command execution in GitHub Actions.

Technical details

In affected versions, repository-derived PHP version values were insufficiently constrained before being incorporated into the generated shell or PowerShell setup script executed by the action. This could allow attacker-controlled values from supported repository files to influence script execution in trusted workflow contexts.

Remediation

If you are using shivammathur/setup-php@v2, no action is needed on your end. Users who pin the setup-php release version or release version SHA should upgrade to a patched version.

The fix validates PHP version inputs, constrains manifest-derived versions, hardens script generation at the execution, and includes additional checks in related input-handling paths.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
shivammathur/setup-phpGitHub Actions
>= 2.25.0, < 2.37.12.37.1

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.